From e72094d4b817ad87a3b39e812651f536ee2acbce Mon Sep 17 00:00:00 2001 From: detailyang Date: Mon, 16 Jan 2017 15:04:07 +0800 Subject: [PATCH 1/5] feature: tcpsock:setsslcert to send client cert --- src/ngx_http_lua_socket_tcp.c | 80 ++++++ src/ngx_http_lua_ssl.c | 109 +++++++- src/ngx_http_lua_ssl.h | 4 + t/129-ssl-socket.t | 466 +++++++++++++++++++++++++++++++++- t/cert/ca.crt | 13 + t/cert/ca.key | 18 ++ t/cert/client.cer | 15 ++ t/cert/client.crt | 15 ++ t/cert/client.csr | 17 ++ t/cert/client.key | 30 +++ t/cert/client.p12 | Bin 0 -> 2221 bytes t/cert/client.pfx | Bin 0 -> 2221 bytes t/cert/client.unsecure.key | 27 ++ t/cert/generate-openssl.sh | 28 ++ t/cert/server.cer | 15 ++ t/cert/server.crt | 15 ++ t/cert/server.csr | 17 ++ t/cert/server.key | 30 +++ t/cert/server.unsecure.key | 27 ++ 19 files changed, 924 insertions(+), 2 deletions(-) create mode 100644 t/cert/ca.crt create mode 100644 t/cert/ca.key create mode 100644 t/cert/client.cer create mode 100644 t/cert/client.crt create mode 100644 t/cert/client.csr create mode 100644 t/cert/client.key create mode 100644 t/cert/client.p12 create mode 100644 t/cert/client.pfx create mode 100644 t/cert/client.unsecure.key create mode 100755 t/cert/generate-openssl.sh create mode 100644 t/cert/server.cer create mode 100644 t/cert/server.crt create mode 100644 t/cert/server.csr create mode 100644 t/cert/server.key create mode 100644 t/cert/server.unsecure.key diff --git a/src/ngx_http_lua_socket_tcp.c b/src/ngx_http_lua_socket_tcp.c index de8762f8ce..ef68298d6c 100644 --- a/src/ngx_http_lua_socket_tcp.c +++ b/src/ngx_http_lua_socket_tcp.c @@ -16,12 +16,14 @@ #include "ngx_http_lua_output.h" #include "ngx_http_lua_contentby.h" #include "ngx_http_lua_probe.h" +#include "ngx_http_lua_ssl.h" static int ngx_http_lua_socket_tcp(lua_State *L); static int ngx_http_lua_socket_tcp_connect(lua_State *L); #if (NGX_HTTP_SSL) static int ngx_http_lua_socket_tcp_sslhandshake(lua_State *L); +static int ngx_http_lua_socket_tcp_setsslcert(lua_State *L); #endif static int ngx_http_lua_socket_tcp_receive(lua_State *L); static int ngx_http_lua_socket_tcp_send(lua_State *L); @@ -285,6 +287,9 @@ ngx_http_lua_inject_socket_tcp_api(ngx_log_t *log, lua_State *L) lua_pushcfunction(L, ngx_http_lua_socket_tcp_sslhandshake); lua_setfield(L, -2, "sslhandshake"); + lua_pushcfunction(L, ngx_http_lua_socket_tcp_setsslcert); + lua_setfield(L, -2, "setsslcert"); + #endif lua_pushcfunction(L, ngx_http_lua_socket_tcp_receive); @@ -1200,6 +1205,81 @@ ngx_http_lua_socket_conn_error_retval_handler(ngx_http_request_t *r, #if (NGX_HTTP_SSL) +static int +ngx_http_lua_socket_tcp_setsslcert(lua_State *L) +{ + ngx_str_t password = ngx_null_string; + + int n; + ngx_int_t rc; + ngx_str_t cert, priv_key; + ngx_connection_t *c; + ngx_http_request_t *r; + ngx_http_lua_socket_tcp_upstream_t *u; + + /* Lua function arguments: self ,cert ,priv_key [,password] */ + + n = lua_gettop(L); + if (n < 1 || n > 4) { + return luaL_error(L, "ngx.socket setsslcert: expecting 1 ~ 4 " + "arguments (including the object), but seen %d", n); + } + + r = ngx_http_lua_get_req(L); + if (r == NULL) { + return luaL_error(L, "no request found"); + } + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "lua tcp socket ssl set certificate"); + + luaL_checktype(L, 1, LUA_TTABLE); + + lua_rawgeti(L, 1, SOCKET_CTX_INDEX); + u = lua_touserdata(L, -1); + + if (u == NULL + || u->peer.connection == NULL + || u->read_closed + || u->write_closed) + { + lua_pushnil(L); + lua_pushliteral(L, "closed"); + return 2; + } + + if (u->request != r) { + return luaL_error(L, "bad request"); + } + + c = u->peer.connection; + + if (c->ssl) { + lua_pushnil(L); + lua_pushliteral(L, "sslhandshaked"); + return 2; + } + + cert.data = (u_char *) luaL_checklstring(L, 2, &cert.len); + priv_key.data = (u_char *) luaL_checklstring(L, 3, &priv_key.len); + + if (n == 4) { + password.data = (u_char *) luaL_checklstring(L, 4, &password.len); + } + + rc = ngx_http_lua_ssl_certificate(u->conf->ssl, &cert, &priv_key, + &password, r->connection->log); + if (rc != NGX_OK) { + lua_pushnil(L); + lua_pushliteral(L, "failed to set ssl certificate"); + return 2; + } + + lua_pushinteger(L, 1); + return 1; +} + + static int ngx_http_lua_socket_tcp_sslhandshake(lua_State *L) { diff --git a/src/ngx_http_lua_ssl.c b/src/ngx_http_lua_ssl.c index 8ed7b95417..5d56c3d1fb 100644 --- a/src/ngx_http_lua_ssl.c +++ b/src/ngx_http_lua_ssl.c @@ -12,7 +12,6 @@ #if (NGX_HTTP_SSL) - int ngx_http_lua_ssl_ctx_index = -1; @@ -34,4 +33,112 @@ ngx_http_lua_ssl_init(ngx_log_t *log) } +int +ngx_http_lua_ssl_password_callback(char *buf, int size, int rwflag, + void *userdata) +{ + ngx_str_t *pwd = userdata; + + if (rwflag) { + ngx_log_error(NGX_LOG_ALERT, ngx_cycle->log, 0, + "ngx_ssl_password_callback() is called for encryption"); + return 0; + } + + if (pwd->len == 0) { + return 0; + } + + if (pwd->len > (size_t) size) { + ngx_log_error(NGX_LOG_ERR, ngx_cycle->log, 0, + "password is truncated to %d bytes", size); + } else { + size = pwd->len; + } + + ngx_memcpy(buf, pwd->data, size); + + return size; +} + + +ngx_int_t +ngx_http_lua_ssl_certificate(ngx_ssl_t *ssl, ngx_str_t *cert, + ngx_str_t *priv_key, ngx_str_t *password, ngx_log_t *log) +{ + BIO *cbio = NULL; + BIO *pbio = NULL; + X509 *x509 = NULL; + EVP_PKEY *pkey = NULL; + ngx_int_t rc = NGX_ERROR; + + cbio = BIO_new_mem_buf((char *)cert->data, cert->len); + if (cbio == NULL) { + ngx_ssl_error(NGX_LOG_ERR, log, 0, "BIO_new_mem_buf() failed"); + goto done; + } + + /* + * Reading the PEM-formatted certificate from memory into an X509 + */ + + x509 = PEM_read_bio_X509(cbio, NULL, 0, NULL); + if (x509 == NULL) { + ngx_ssl_error(NGX_LOG_ERR, log, 0, "PEM_read_bio_X509() failed"); + goto done; + } + + if (!SSL_CTX_use_certificate(ssl->ctx, x509)) { + ngx_ssl_error(NGX_LOG_ERR, log, 0, "SSL_CTX_use_certificate() failed"); + goto done; + } + + pbio = BIO_new_mem_buf((char *)priv_key->data, priv_key->len); + if (pbio == NULL) { + ngx_ssl_error(NGX_LOG_ERR, log, 0, "BIO_new_mem_buf() failed"); + goto done; + } + + pkey = PEM_read_bio_PrivateKey(pbio, NULL, + ngx_http_lua_ssl_password_callback, + (void *)password); + if (pkey == NULL) { + ngx_ssl_error(NGX_LOG_ERR, log, 0, "PEM_read_bio_PrivateKey() failed"); + goto done; + } + + if (!SSL_CTX_use_PrivateKey(ssl->ctx, pkey)) { + ngx_ssl_error(NGX_LOG_ERR, log, 0, "SSL_CTX_use_PrivateKey() failed"); + goto done; + } + + rc = NGX_OK; + +done: + + if (pkey) { + EVP_PKEY_free(pkey); + } + + if (x509) { + X509_free(x509); + } + + if (pbio) { + BIO_free(pbio); + } + + if (cbio) { + BIO_free(cbio); + } + + if (rc == NGX_ERROR) { + ERR_clear_error(); + } + + SSL_CTX_set_default_passwd_cb(ssl->ctx, NULL); + + return rc; +} + #endif /* NGX_HTTP_SSL */ diff --git a/src/ngx_http_lua_ssl.h b/src/ngx_http_lua_ssl.h index 7a245ffda7..f8b0207148 100644 --- a/src/ngx_http_lua_ssl.h +++ b/src/ngx_http_lua_ssl.h @@ -35,6 +35,10 @@ typedef struct { ngx_int_t ngx_http_lua_ssl_init(ngx_log_t *log); +int ngx_http_lua_ssl_password_callback(char *buf, int size, int rwflag, + void *userdata); +ngx_int_t ngx_http_lua_ssl_certificate(ngx_ssl_t *ssl, ngx_str_t *cert, + ngx_str_t *priv_key, ngx_str_t *password, ngx_log_t *log); extern int ngx_http_lua_ssl_ctx_index; diff --git a/t/129-ssl-socket.t b/t/129-ssl-socket.t index 726b4423c9..6581c693ef 100644 --- a/t/129-ssl-socket.t +++ b/t/129-ssl-socket.t @@ -1,10 +1,11 @@ # vim:set ft= ts=4 sw=4 et fdm=marker: use Test::Nginx::Socket::Lua; +use Digest::MD5 qw(md5_hex); repeat_each(2); -plan tests => repeat_each() * 219; +plan tests => repeat_each() * 234; $ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); @@ -31,6 +32,63 @@ our $EquifaxRootCertificate = read_file("t/cert/equifax.crt"); our $TestCertificate = read_file("t/cert/test.crt"); our $TestCertificateKey = read_file("t/cert/test.key"); our $TestCRL = read_file("t/cert/test.crl"); +our $clientKey = read_file("t/cert/client.key"); +our $clientUnsecureKey = read_file("t/cert/client.unsecure.key"); +our $clientCrt = read_file("t/cert/client.crt"); +our $clientCrtMd5 = md5_hex($clientCrt); +our $serverKey = read_file("t/cert/server.key"); +our $serverUnsecureKey = read_file("t/cert/server.unsecure.key"); +our $serverCrt = read_file("t/cert/server.crt"); +our $caKey = read_file("t/cert/ca.key"); +our $caCrt = read_file("t/cert/ca.crt"); +our $sslhttpconfig = <<_EOS_; +server { + listen 1983 ssl; + server_name server; + ssl_certificate ../html/server.crt; + ssl_certificate_key ../html/server.unsecure.key; + ssl_client_certificate ../html/ca.crt; + ssl_verify_client on; + + server_tokens off; + + location / { + default_type 'text/plain'; + content_by_lua_block { + ngx.say("foo") + } + more_clear_headers Date; + } + + location /cert { + default_type 'text/plain'; + content_by_lua_block { + ngx.say(ngx.md5(ngx.var.ssl_client_raw_cert)) + } + more_clear_headers Date; + } +} +_EOS_ +our $certfiles = <<_EOS_; +>>> client.key +$clientKey +>>> client.unsecure.key +$clientUnsecureKey +>>> client.crt +$clientCrt +>>> server.key +$serverKey +>>> server.unsecure.key +$serverUnsecureKey +>>> server.crt +$serverCrt +>>> ca.key +$caKey +>>> ca.crt +$caCrt +>>> wrong.crt +OpenResty +_EOS_ run_tests(); @@ -2618,3 +2676,409 @@ qr/\[error\] .* ngx.socket sslhandshake: expecting 1 ~ 5 arguments \(including t --- no_error_log [alert] --- timeout: 5 + + + +=== TEST 33: setsslcert, too many arguments +--- config + resolver $TEST_NGINX_RESOLVER ipv6=off; + location /t { + content_by_lua_block { + local sock = ngx.socket.tcp() + sock:settimeout(5000) + + local ok, err = sock:connect("openresty.org", 443) + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local ok, err = sock.setsslcert() + } + } + +--- request +GET /t + +--- ignore_response +--- error_log eval +qr/\[error\] .* ngx.socket setsslcert: expecting 1 ~ 4 arguments \(including the object\), but seen 0/ +--- timeout: 5 + + + +=== TEST 34: setsslcert should return error on closed connection +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER ipv6=off; + lua_ssl_trusted_certificate ../html/ca.crt; + + location /t { + content_by_lua_block { + function read_file(file) + local f = io.open(file, "rb") + local content = f:read("*all") + f:close() + return content + end + + local sock = ngx.socket.tcp() + sock:settimeout(3000) + + local cert = read_file("$TEST_NGINX_HTML_DIR/client.crt") + local key = read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key") + + local ok, err = sock:setsslcert(cert, key) + if not ok then + ngx.say("failed to set ssl certificate: ", err) + return + end + } + } + +--- request +GET /t +--- response_body +failed to set ssl certificate: closed + +--- user_files eval: $::certfiles +--- timeout: 5 + + +=== TEST 35: setsslcert should return error on sslhandshaked connection +--- http_config eval: $::sslhttpconfig +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER ipv6=off; + lua_ssl_trusted_certificate ../html/ca.crt; + + location /t { + content_by_lua_block { + function read_file(file) + local f = io.open(file, "rb") + local content = f:read("*all") + f:close() + return content + end + + local sock = ngx.socket.tcp() + sock:settimeout(3000) + local ok, err = sock:connect("127.0.0.1", 1983) + if not ok then + ngx.say("failed to connect: ", err) + return + end + + local sess, err = sock:sslhandshake(nil, nil, true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + local cert = read_file("$TEST_NGINX_HTML_DIR/client.crt") + local key = read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key") + + local ok, err = sock:setsslcert(cert, key) + if not ok then + ngx.say("failed to set ssl certificate: ", err) + return + end + } + } + +--- request +GET /t +--- response_body +failed to set ssl certificate: sslhandshaked + +--- user_files eval: $::certfiles +--- timeout: 5 + + + +=== TEST 36: setsslcert send client certificate with nopassword private key +--- http_config eval: $::sslhttpconfig +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER ipv6=off; + lua_ssl_trusted_certificate ../html/ca.crt; + + location /t { + content_by_lua_block { + function read_file(file) + local f = io.open(file, "rb") + local content = f:read("*all") + f:close() + return content + end + + do + local sock = ngx.socket.tcp() + sock:settimeout(3000) + local ok, err = sock:connect("127.0.0.1", 1983) + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local cert = read_file("$TEST_NGINX_HTML_DIR/client.crt") + local key = read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key") + + local ok, err = sock:setsslcert(cert, key) + if not ok then + ngx.say("failed to set ssl certificate: ", err) + return + end + + local sess, err = sock:sslhandshake(nil, nil, true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /cert HTTP/1.0\r\nHost: server\r\nConnection: close\r\n\r\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to receive response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + collectgarbage() + } + } + +--- request +GET /t +--- response_body eval +"connected: 1 +ssl handshake: userdata +sent http request: 55 bytes. +received: HTTP/1.1 200 OK +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 33 +received: Connection: close +received: +received: $::clientCrtMd5 +close: 1 nil +" + +--- user_files eval: $::certfiles +--- timeout: 5 + + + +=== TEST 37: setsslcert send client certificate with password private key +--- http_config eval: $::sslhttpconfig +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER ipv6=off; + lua_ssl_trusted_certificate ../html/ca.crt; + + location /t { + content_by_lua_block { + function read_file(file) + local f = io.open(file, "rb") + local content = f:read("*all") + f:close() + return content + end + + do + local sock = ngx.socket.tcp() + sock:settimeout(3000) + local ok, err = sock:connect("127.0.0.1", 1983) + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local cert = read_file("$TEST_NGINX_HTML_DIR/client.crt") + local key = read_file("$TEST_NGINX_HTML_DIR/client.key") + + local ok, err = sock:setsslcert(cert, key, "openresty") + if not ok then + ngx.say("failed to set ssl certificate: ", err) + return + end + + local sess, err = sock:sslhandshake(nil, nil, true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + + ngx.say("ssl handshake: ", type(sess)) + + local req = "GET /cert HTTP/1.0\r\nHost: server\r\nConnection: close\r\n\r\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + + ngx.say("sent http request: ", bytes, " bytes.") + + while true do + local line, err = sock:receive() + if not line then + -- ngx.say("failed to receive response status line: ", err) + break + end + + ngx.say("received: ", line) + end + + local ok, err = sock:close() + ngx.say("close: ", ok, " ", err) + end -- do + collectgarbage() + } + } + +--- request +GET /t +--- response_body eval +"connected: 1 +ssl handshake: userdata +sent http request: 55 bytes. +received: HTTP/1.1 200 OK +received: Server: nginx +received: Content-Type: text/plain +received: Content-Length: 33 +received: Connection: close +received: +received: $::clientCrtMd5 +close: 1 nil +" + +--- user_files eval: $::certfiles +--- timeout: 5 + + + +=== TEST 38: setsslcert set ssl wrong formated certificate +--- http_config eval: $::sslhttpconfig +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER ipv6=off; + lua_ssl_trusted_certificate ../html/ca.crt; + + location /t { + content_by_lua_block { + function read_file(file) + local f = io.open(file, "rb") + local content = f:read("*all") + f:close() + return content + end + + do + local sock = ngx.socket.tcp() + sock:settimeout(3000) + local ok, err = sock:connect("127.0.0.1", 1983) + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local cert = read_file("$TEST_NGINX_HTML_DIR/wrong.crt") + local key = read_file("$TEST_NGINX_HTML_DIR/client.key") + + local ok, err = sock:setsslcert(cert, key, "openresty") + if not ok then + ngx.say(err) + return + end + end -- do + } + } + +--- request +GET /t +--- response_body +connected: 1 +failed to set ssl certificate + +--- user_files eval: $::certfiles +--- error_log eval +qr/.*PEM routines:PEM_read_bio:no start line:Expecting: CERTIFICATE.*/ +--- timeout: 5 + + + +=== TEST 39: setsslcert set ssl unmatched private key +--- http_config eval: $::sslhttpconfig +--- config + server_tokens off; + resolver $TEST_NGINX_RESOLVER ipv6=off; + lua_ssl_trusted_certificate ../html/ca.crt; + + location /t { + content_by_lua_block { + function read_file(file) + local f = io.open(file, "rb") + local content = f:read("*all") + f:close() + return content + end + + do + local sock = ngx.socket.tcp() + sock:settimeout(3000) + local ok, err = sock:connect("127.0.0.1", 1983) + if not ok then + ngx.say("failed to connect: ", err) + return + end + + ngx.say("connected: ", ok) + + local cert = read_file("$TEST_NGINX_HTML_DIR/client.crt") + local key = read_file("$TEST_NGINX_HTML_DIR/server.unsecure.key") + + local ok, err = sock:setsslcert(cert, key) + if not ok then + ngx.say(err) + return + end + end -- do + } + } + +--- request +GET /t +--- response_body +connected: 1 +failed to set ssl certificate + +--- user_files eval: $::certfiles +--- error_log eval +qr/.*x509 certificate routines:X509_check_private_key:key values mismatch.*/ +--- timeout: 5 + diff --git a/t/cert/ca.crt b/t/cert/ca.crt new file mode 100644 index 0000000000..8d375d0228 --- /dev/null +++ b/t/cert/ca.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIICBjCCAW+gAwIBAgIJAI2B0NyEQy2OMA0GCSqGSIb3DQEBBQUAMA0xCzAJBgNV +BAMTAmNhMB4XDTE3MDExNjA0MDgyNFoXDTE3MDIxNTA0MDgyNFowDTELMAkGA1UE +AxMCY2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALx2PvUnfbWrZrMXZ1EF +Tjp5JB4bSn1zT7K3TYevgCE7fyKgfnrAaYG1Cv1X+d+CR7xqgeWGk/5ruIGdeJpL +Z4zKTzIsjeu7YG4gF6sxicCXoMx3/VLcu5dDD0+HS6+Oh2FN6ieVAe69J2aYQdxE +TYgREfvSwwLPljb/xpyOGJspAgMBAAGjbjBsMB0GA1UdDgQWBBTkNEgjiZEnjBXi +8x895AearNGMnjA9BgNVHSMENjA0gBTkNEgjiZEnjBXi8x895AearNGMnqERpA8w +DTELMAkGA1UEAxMCY2GCCQCNgdDchEMtjjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 +DQEBBQUAA4GBAEgnwLpHaayxknBBpiOrgYdvO1Lt5BfA5EiR1TXMWhKAE3YI6v+J +g0wtYlXFzJukYOTV9Sioqc32nx1SODU2tJV9BOPzeCqJrqMEcJFeVlOzzjWYC44k +HukL07tsvDAjARjGlWWmwRs6Y0zOYbiJRSZZet7nK0Ecd6jB4IqGYpqZ +-----END CERTIFICATE----- diff --git a/t/cert/ca.key b/t/cert/ca.key new file mode 100644 index 0000000000..61b7b77e4e --- /dev/null +++ b/t/cert/ca.key @@ -0,0 +1,18 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,8C1F08E444CB532A + +HXNufjHcExaSHCodIvlFdD4jKCQhubpu+5p82CKpXr4o4qeXhKbjgifLjT/f7kYi +cZYilfHyMoVpDHTi0Kb5fNYK2CfmXjMKu1y5zZ6okkYRTebxz1X0Zi3MrLRfSElL +LqFYnyf6rqcatD9Z2M9JVdeaHYgQ4yOH0ST4rAPvu0FTcHBA3HtCt3cJy42W/Sy1 +xXzGQSwIgOkq1oTam/qHXzd2sUQBWOeq1XwlWetr/RVvndZ2tYO5dLoOBI2WPVjV +VOHdHTPUmQXMKVgZlc+sl1Ugb0FWXcKL3v/orarLQvzSuCBiku1eKYq99oS3R5b7 +8NsMIb0PrsHAQjZkBrTN8j0FJbpzeMrR/1EMBYlLOXDuYF2avSS0cGYp/Tb3sWyH +wmSnpRUAqFOAPInU4oh4Yr1BLQkpo0WB8LNQl4yCQutYv2zuJLD4wt1hH9kC0X4W +WinXAMIPjO9+nmHrCoCU/KI2xDZD4+KPQUCDsiIUpyml6nepxszNbTZJcSEQGtp9 +Kdzmz3KZA0qoxF8eFSPhWokcF7ODRfbOJHV73LsVHQ3er5LMhrEjyTn9wXS39tP7 +r7WnoCzD01zMsl3cTvS5/jZME3mWzCqF2j3/AqwtCcwJV2gKy3QgHnM9ez6Z4Uxf +IFGgDBMa5CBbEv/Tbo42zNpdreL7Cy/7QA7RK4LAtRyZTIEhyCHu8+gTQYts38oz +L8CmGe/QiFh9bBpmcUSpcMqtm7v/7PtNtcuBU8kNuixN2SndFQvWnn9MolD5eGRo +cSUEgDjRUO3wb36ZTk8KKyqdL3mMm3vVqR1sKlCbY1z0f6JqXkpRlQ== +-----END RSA PRIVATE KEY----- diff --git a/t/cert/client.cer b/t/cert/client.cer new file mode 100644 index 0000000000..619937793d --- /dev/null +++ b/t/cert/client.cer @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICZTCCAc4CAQEwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UEAxMCY2EwIBcNMTcw +MTE2MDQwODI0WhgPMjEwMDEyMTcwNDA4MjRaMGMxCzAJBgNVBAYTAlVTMRMwEQYD +VQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRYwFAYDVQQK +Ew1PcGVuUmVzdHkgSW5jMQ8wDQYDVQQDEwZjbGllbnQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDcjFjwjHI6qx+4LjN8Uvl9KCG6+c2kvMIO0z4p+IHT +yUHJPWMCtLQzoPtiFNAopnaqFU+12e7yD4FrWhaFN1F43qM16ml3g6FUeTXwpLv2 +zrwKFOEMTupHuQRF9R3n+Y/L5nP25P0JX79QRYN5RrkqjIfShE2TQLoaoKPf8Arh +AkRkS42ShTupdPE7iye1Db3iyYJaBa8FF2FYRd5NZgO/7jF1E4njgO0j+Bjg0BrB +4YBoDnx8y9H+EK6jFlCoPLmcttU3FA6/Gl0bu//QV8Kz2O9t3KzA+Xd+amcKQVFw +KnaJn1f6DP00YVsOYnNuX5Z3JajdEosVSNwuzyrNaoTXAgMBAAEwDQYJKoZIhvcN +AQELBQADgYEAikTnhI2mhPricPwUd6XRoA9JJ7/ndKcn2JDZnck0K3roo762Mu16 +2GyOV0mr2ye4TgMhIF6beL/WagYbbcgfYrnzNNraVSSNKGyNFCqgwUYDeRvtdAbi +AzegEEnV/j1fzm4YmIWlwekEf/Qxaep8owWtF6y5Dg8a12WOgtSLjrY= +-----END CERTIFICATE----- diff --git a/t/cert/client.crt b/t/cert/client.crt new file mode 100644 index 0000000000..619937793d --- /dev/null +++ b/t/cert/client.crt @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICZTCCAc4CAQEwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UEAxMCY2EwIBcNMTcw +MTE2MDQwODI0WhgPMjEwMDEyMTcwNDA4MjRaMGMxCzAJBgNVBAYTAlVTMRMwEQYD +VQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRYwFAYDVQQK +Ew1PcGVuUmVzdHkgSW5jMQ8wDQYDVQQDEwZjbGllbnQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDcjFjwjHI6qx+4LjN8Uvl9KCG6+c2kvMIO0z4p+IHT +yUHJPWMCtLQzoPtiFNAopnaqFU+12e7yD4FrWhaFN1F43qM16ml3g6FUeTXwpLv2 +zrwKFOEMTupHuQRF9R3n+Y/L5nP25P0JX79QRYN5RrkqjIfShE2TQLoaoKPf8Arh +AkRkS42ShTupdPE7iye1Db3iyYJaBa8FF2FYRd5NZgO/7jF1E4njgO0j+Bjg0BrB +4YBoDnx8y9H+EK6jFlCoPLmcttU3FA6/Gl0bu//QV8Kz2O9t3KzA+Xd+amcKQVFw +KnaJn1f6DP00YVsOYnNuX5Z3JajdEosVSNwuzyrNaoTXAgMBAAEwDQYJKoZIhvcN +AQELBQADgYEAikTnhI2mhPricPwUd6XRoA9JJ7/ndKcn2JDZnck0K3roo762Mu16 +2GyOV0mr2ye4TgMhIF6beL/WagYbbcgfYrnzNNraVSSNKGyNFCqgwUYDeRvtdAbi +AzegEEnV/j1fzm4YmIWlwekEf/Qxaep8owWtF6y5Dg8a12WOgtSLjrY= +-----END CERTIFICATE----- diff --git a/t/cert/client.csr b/t/cert/client.csr new file mode 100644 index 0000000000..fc1d0d9f6c --- /dev/null +++ b/t/cert/client.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICqDCCAZACAQAwYzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx +FjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFjAUBgNVBAoTDU9wZW5SZXN0eSBJbmMx +DzANBgNVBAMTBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ANyMWPCMcjqrH7guM3xS+X0oIbr5zaS8wg7TPin4gdPJQck9YwK0tDOg+2IU0Cim +dqoVT7XZ7vIPgWtaFoU3UXjeozXqaXeDoVR5NfCku/bOvAoU4QxO6ke5BEX1Hef5 +j8vmc/bk/Qlfv1BFg3lGuSqMh9KETZNAuhqgo9/wCuECRGRLjZKFO6l08TuLJ7UN +veLJgloFrwUXYVhF3k1mA7/uMXUTieOA7SP4GODQGsHhgGgOfHzL0f4QrqMWUKg8 +uZy21TcUDr8aXRu7/9BXwrPY723crMD5d35qZwpBUXAqdomfV/oM/TRhWw5ic25f +lnclqN0SixVI3C7PKs1qhNcCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQA8Wsl1 +pCYCODwQ/7FFkzw3eZfjB/32q5pwsGMmKd8vKgZIxCxFBwF7G3wtbWrOmuRIhkBj +Yj1h4+i4ZS8wjrpHRHpOy9wBp91lfacAnOWouyQe6dtU1j/Fw1jsVAlBKzqqZOHy +b8es7OzReGX1YhAnwKLlX2PCObwyB+8LFEWktpXl2fvH4HnxoEEjSdaXixhS5OBO +td/23rKyz3pZguXCjCxB9+YdXq6wOUTN1pNdLSyR/E63b1DiZN9FgkcfmuTXt0TK +4sjrCzcjUZOZP+/tbkI2PvbrTHSZHe4wcIGbWe2kuEE+nKto1ZZFbjcdSzjAxQcr +A+o4GTdJ0LsAHKiL +-----END CERTIFICATE REQUEST----- diff --git a/t/cert/client.key b/t/cert/client.key new file mode 100644 index 0000000000..bb9a1392b0 --- /dev/null +++ b/t/cert/client.key @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,9640746FEA3CC95B + +0XlzALhxsfzOPhyL8yqqwJF+pmwwGzjOVfE0nkjGKADbdCf6qvq81iGYDObXoESB +Du7PtiTr/iDrcyXjjrRS/usHcUJDVojW3HKEOFXmXGdaqrn9733KmuKRQHNf12Ev +0PDvhMspmRSf3J1uYC8+rqf1hq9Z6Op1WsQS0kP2zrFfSzB7DHgEmHjP/smKM4x3 +S4Xemo0eT8juV/Czz3Cj3oJ/J/VNwZg87cguWQ+10McfykPmuI7z1GLZvphQQktm +dBv7NGAd3IWmkH80akZ/8GtcbUodJTsndHaNLKk0kTPcYoz4mlvMQ/FqYY0B6wKK +FRAvhvxcRnRGq73Kaezl2Kp0re+GdurWyxSFVSrU4Aoxn2ipMKdr9GJ3PdoTRzku +tEbdKZtcMqoS8tAcr6+OOAVtvmzViEfc+QOXj06/7VknIOnTOP/hgzkeXRqpOIP8 +Twq47r4UtAhWYFeabLwg1Uwi1Te2lq9WpgPBja+sprbqN2Lc9W4Y97X1IXUgq6fN +r9viypIIGTaru0jvcnsKXcgFmfRuiJt4B6hrO5XY1BVq89deSJo6EtRdTlezygEv +d7uECTCv93A64jgA7ytFaYAK04fcjJuvIdLPLyZ18S11EHlZQqa7wi/twFY7oAPe +0uOvmaM+flujmCjwpf51neZ+Tx0emho0B5MV9q4tCPpow7bq4NHNrm/Rdug8rdiM +VolwuRvzGG0kP9kA+RI30FtYcWsJzOmf+eNTwoiEit6CrWkFB1+TZOi1wWnQGrw1 +rLKHnuU+Sp4Mkw/XfW2jCKLi5AAjrr3O6MabVz30iBCx+IwiFEgIsFT5lDGvc1mZ +eqdp9UKUwwZcYeWFZVyVSf7joB9b9CJH8GygkMfvcNF0fgMfjLo8y2iyqR0zVHku +Sos/F+dLNR2ohCah1jJ5LDaTB9SGjon5ku/2eLT8WmAfOFGz69OkWQcuR/RwKtP0 +O/wAi8W6vuj3mh04v2dmOt1pgyf3m/Ja5DyBZ93ez+egk5IdRW6IbpxE7akKO93Z +CrsmDcdyldIYHkbXVtygSi+niHOrzo7iiCFdFTJ3zbn2RI9JInZyXmEAN4H639ub +rz9HCV9hjdsPIF1+36jsYKfSK1U3Csg0y6/AhR4jsxZVlsUG+bpoDbQr9lqLKSk8 +dFHOwp+b1iekJuJOhahib+3Wojni4CHWBKycs/7rtn0SJnhrmoTXrOyJgYwuSC0p +BX2Ab/V+WYaLuY9Jx1fCcOlEaBQJasL6wK+IxcZ+lcFoKTPugt7d6KUciNj29AWs +NqkybRSsb9JG2fqXLjFEuaYJdnsyd6DdYeid2I1918NMX+JH68U8MFmLibDXmXZJ +10+K14HN0sxlE9QJ/fxbtUc3Y2Z9Oy+JzlGPg4VDpxAjH+AtoDtYHtfSKD+ExQcD +lkCQT/Fl9F3YxksVapjhRO0dEmdQxgo2YL2esqWALQfUi8av0d6k9fslwfXAcVpo +2kOnNMonZkx1xVU9AQBNeDLccWMKoX8ngffrbCQFfu63ZdB6fHOxnR3FE13xsHNK +uE7Gxj7PJZJs+DyAjuC2nshDtlPjEyRPS7qj+wjdrhwc7VlpNy1iYPIpQUYIp3lz +-----END RSA PRIVATE KEY----- diff --git a/t/cert/client.p12 b/t/cert/client.p12 new file mode 100644 index 0000000000000000000000000000000000000000..79999fdb0cba9e6794d253be16ebbcd41d4a3cc9 GIT binary patch literal 2221 zcmY+Ec{CJ?9>>i-V;wajWFM2Inz1LcWGNYI_T4C3LSrrKU{JQ~S;{=FU6#t8F~rrN zAxpBAi%TNIwG+3_dGFo#{`j8XIp6O&zrVhpFO~$a00KZ*65JPxkS1Rz?{WZOfFcsy z8BBuP|Fo^KBoNm>5wwT|V!@JtM?k=@v;9v3zzRZH|NVg-0L5~G;eva{2i(!~fj}Uf zC5i;>dpKrBJ{Nk8LoZ23U{ui3gi8unURz&uu2C5IShArCIbXI(#j>BFB%9wh?Ye0Msn!UVU8Q|(gMrXDYWc(V6XPFHVp7vPF zfWBt))Vu>N_7D-KkD1#5V})W2r9rmtsvR-kD6kEmihF`;XP1Z@ws-mZ1q)KWIH@s^eS`V3c@lhs?@0d8`Z7Aj1(wGxSY&P0TByI$m6u2Y5> zHAI~yW|Q)IW-N1X3xVuR+|N~Sw+oZ*x8`Yx81ENo)7|0kV*?%4HSq*o`7--aFGG>4 z!r7~!Sycy{DJYjtH$mMLo1mzej^ZZ04PB>8M^-Aw>aL;*rSu+Xfsw%RW^{Aajo^|+ z$}ULQC%{7NJ*N5_rf5md7?n-4Sj3Cfl+{ZPTVO>DX>PKZlPouvp19c0YMjAWYFFe% zYie2|C4bir_lE{%COBfsOsg6zi7LbrMIG^oL66msCe3yRD-W5de4{%2594RAZMNN% zbt6VZ>7Q+OGP=dNoahf{C}ZVz;o+V&GS_D~5pRP=mT5NQoraIVDl&KKtI|_vmPVWO%Gt&Sxu8|? z3uk-%D{6d4@PzU)RD`g?Q@(Ny{u4JoNx>BjzcUc_@CV8=`P}lT;Wav5+FRGO=d6$1 zSV~@jdJKJJTRRR1?&%}XHQ^7=8kXhSD@Z*sjkK`^VOXmM=%d#$j8l&;Cf-3@U0siJ zg${@~yorstgtsR$3KQ8nWoXndnUl|Q9MTH`m1kh&DDJf`N(e1p$fjkxvE@@hLH-1+ z(7VK+p76yIt&HC2W0`Ji2)hFz<%D`L?K-V>mRaZ=`-D&*(^_HL2bST$@#N}_K}5jE z=>&6lMn(WSGtpetnmol;7JG>>=fnn#<`2!0 z<-1#3)*IYBw)g$G`oZNJOy4ZP<`HnQPUUWlkiGs50S(+IgMl-_;XF&4gg1N~>IdC{ z*2J%t`jFe!>Q1#Oz`#pu#Nc|e^lPa{GCfBRigVl3TQojBOcl>iV`n$Oanbjk!tC-P z_oawRqRL*;CXNZ}DNNKD++!{6EU&D^gN*{)%SqbE_$q%;LMMWd8z6xN$xkE2Ep$rJ z^6L(inyC2Qx!G`{$r|hAuV7^h0l>C6D2S%KMAifW`9(!tdogDf{Ds)6?b)6VzgCWng zMDg$ZCLAUD?5)~aZ`__QC7^R!{+OA%+>EN;N*QpGo!6pP|S+qS=O$R1HdQh6@XPY=x8MKT6qp(AEZwV~LE zx<<_dxXav=I$4Tg{%Ah;{l1LpR^KlXd4qCkN#FJ-lC z!be06@|FE7zE;~80p`vH^>i=v>#$#hYNA{CP(0F4*RzYA59OxcWEg=@47#g z*tA*68&Q;UAlUWn`O(m!d8kl0-PC5zowVLWz(=9&g0arg0`Jnj2GxpR@()^{`=l=Hx9soO<7tDETdHx4P`iuq; z$jRnU1~xyU;d<|q7hKlV^Bb^L{1}UR^RD-90z8$ABqJI5vvc;8nRxQtPGSVy%b`%Tu0ytcw#q>2^ zv4@Yn6VRk0>3m53w8&j|gU&!r&@Yf5z=HStq{m=X4~xez-!gmsJ>+VNG%JxG_j#VQ zLH7tE%w^2-`dnYJj_BXjEvN(!0vGUGI6ZJpQdbmYzj<`e@lkBmJ?yb`!9J%aH%4=p zxflv>%!;BL15K(?s^+PXkqe+jn|KsW$nWlp;QLS_%OmlP9V}u$Skp*31Z_pJ zDr%;gPjpao?~H%d?@Q@f+a#K34Z_~wLta29b-F<6LsEo+Y@eaqp@WO$Oo_T$OCnoj zQ`ytj`snnq>8bwmC>Wm$fQOVIf>9JX{X}~|NE)&24)SWu{OZYsW_QQ!4$ zScMt8lj( z=;P-2h1lB6moBv<>v)hBn5kRIVFAV$5uPLFx5u;cT7%H7kYp;CbVGouzwuc-F{`<6 zTlvyGc~?Y4>ll&OI&OA^F%``{xN5i?Iyj~RYQ&pZnaLai9f{4UG+gxFevUKM+l#1C zolF=`clnhG7nAIWseJ6d2NX|S?r_Jh9;WYHy8P~!{aIm5mqvd3jDa{#S>H}=Obl3Y z^HB>4v5`hH>N$%6^!e$8-x#pdMH-98j%|>nL)z+>Z;A(-qsb8M|0#Y78KMFvLr(v; z6@E*W{m6eX;06Fw$lwJu89e)cbb$WQ5y?Dm)l@pw{)Y}Q8Qgp)>);r>Q&d_aiwjRw ziJ`|^EPHAyot%9*&O?fMzeo^5_$p~{=3JQL^!Aj&8M)QVf5o7nx#QjhTw(@GnQntW zeONYuSIBI??WPCX@;oi{`s?4lVu}4hCokodWJ7f1CTcneE*_godfXiF%T-Y|F{2hm z(c$T3u@nBeZfe@xPplSX0Yuo+3f=fvVc7E7JDODt6;ar_Y27j@FV~c{H$*(=&D*iZ zMOQsHfIqEc`7lvWXG*Eb29^pYDi(yqdZ45djNG_Bm;qsJj0uw8i<-`*(J{IABKku6 z4V3JW+jf%~h0RQ{U`V2wh-daW0y~ zp4zRkl{tmR=X3h;*7iJW1=Go+UY^Q!r5XyMx{3@%$=jn;X>&j+QZ!BkG4kMToj%T! z&nbHE<)u8n)lae>}@H?gVPfbI<*grRNgj*mallqpa?X63N(b z$0RR(??g@FfP`n|%O+$O?RAk98A-45w|!M$=%5Mj5$1UrghAMbXCyNUA1d3=TCVsD zSbd;dm3gisP;P?;KGGlZn4bv-g5Ea-3WefVE>vVVLoEGIjua%#~l zb}D5)4fP##YyV1jlj4n`(yFc1OeGe!cse24UoIwbGTW0LlM3-p`W{v zClJG{=0Y$b{_vi2u9mO7Re!uCOq?>c)WC!$VAXSWKmIuEz1Q^Z@uECU;W6z9FKY=^ z$CW0rY0;iOpK#3#tE1$-BG~*(QUQ8Dq;U|&6~EPC`@k2|8;ki;o-jOR8zES#ond)y zgvR=*U&7gxrvzkLdnBVM6-ZL+hHHr?lx=Pr1AkzaqnP_hQ#;8v7dar_)T@_!mF0eO z_dEypj#NnO!&W4)yy8IC#JZR~<)4U0)V0L0JZU;=k+2C7>(_<{zjkzLa$@Z06wlyGv@ghWKt{Hw;=CeH_ij4pHO< r0YxEfV19(~1$ehwo`J~t$iV=q1`@{TdJE?48;WtAJtQXoS;>C^L~kF5 literal 0 HcmV?d00001 diff --git a/t/cert/client.unsecure.key b/t/cert/client.unsecure.key new file mode 100644 index 0000000000..92e5d89f8b --- /dev/null +++ b/t/cert/client.unsecure.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEA3IxY8IxyOqsfuC4zfFL5fSghuvnNpLzCDtM+KfiB08lByT1j +ArS0M6D7YhTQKKZ2qhVPtdnu8g+Ba1oWhTdReN6jNeppd4OhVHk18KS79s68ChTh +DE7qR7kERfUd5/mPy+Zz9uT9CV+/UEWDeUa5KoyH0oRNk0C6GqCj3/AK4QJEZEuN +koU7qXTxO4sntQ294smCWgWvBRdhWEXeTWYDv+4xdROJ44DtI/gY4NAaweGAaA58 +fMvR/hCuoxZQqDy5nLbVNxQOvxpdG7v/0FfCs9jvbdyswPl3fmpnCkFRcCp2iZ9X ++gz9NGFbDmJzbl+WdyWo3RKLFUjcLs8qzWqE1wIDAQABAoIBAQCZJ+FvkqiUs1dA +qNzaHijhUCg0VtsG5ooAj5Ogw9EsiJtlq3qBW4m0PLu1feyb/hVzwX7sMx5q/HeM +XDA9bI/oVvuSKmn5M/Cp386kgVGCcEhG2/74dCjfi80646BUAotoNm4bayOJCfOq +Q8usQX++235Ko9PXSWCzsxB6J5D2dTkbDdKeMvfm6jYC3LZVFUWpoR9gqUkorC43 +88+cz6VP8uRp3ZGEtCcsPiF6b16Ft7ayqkQrOy7fUk6ewSF5xFBZveY7xGyuSdHC +gE3frF3M7j0/AdKIghDcL/zJqWZNSPepjKKjAIdmkI7CuHfSag1Y78JlqnqE5QQc +ajEZxn4JAoGBAPqX0Jevek8huDeh7yAqgTFZspA/ixeU5Ux6XzXeA3ZGahN9wWT9 +HIPx3Sauhgj8GQbb6UJNnnUMdrTsf6sE6EZ+YiQLG9aVpuz7b1bgyFgeqpalX6kn +8amnbTWQJR3XkEJCbj81uPx7CF3j4abioArPQQtCsNEAH/klfntaGETDAoGBAOFO +k3cDu2FLf5CMW8eKe9amt8Dp9ZsiVoEL23Gx0J9JJqwbHlo8HRkCSQn8sH7bpW26 +JxFN9I4y/FFg9GRnwazwC/u40PW7bD+7fNMlYQYxArT7Oy/mBbWg2WECpSMYFg5Z +8aPRvLuRz0OmyVjuFd5LAD5reEbKT23us5e6365dAoGAUJCqgXnrKrG+ljQ7uu2v +Z3xdCj9Dqqs2JSZaoejk2Au/YtDVcnBl0I3b+em2MgFK0oe1MJnfzeXZ7ET0rrj/ +LFrJlqjzpEOszRfxLc9K2fnSAmjcnne3HEI1vDjBlhyNxp+w7iWJebLcd8Mh8xN9 +PLxxPvuL+UW/AczqIyJOFx0CgYEAu0N677WrXY/JxBPVCMHCckN5gR80Iy/kJDf9 +ub7oPiwnt26GyMskCDBNEr7y102qbswFQq2/cR1ReDYUiwtt/1Y5L4yKKWQQ8dvc +QQbVYLcFn/UcWZBe+HprkuUG6mdPlbgOTnG541Cqq3kJ6x9gD7XYywi6HGR0plN6 +88a/uYUCgYEA3HljWV8HryfVhS2ZIE2spX6mzE+B5ePPM9+OJo85GzgxCbYB2StI +YThLxp1nuEWVhOK/PB4NyG6QeoeXhf79ZuYGjK7d/mlGpWLDpcuntss4S+pOBXxa +7kZU9yNp7Coge7k+xq23ZBGSXQ/e2UfgqPgipJSVSu1vQlAk+B1FiE0= +-----END RSA PRIVATE KEY----- diff --git a/t/cert/generate-openssl.sh b/t/cert/generate-openssl.sh new file mode 100755 index 0000000000..6cbf353a16 --- /dev/null +++ b/t/cert/generate-openssl.sh @@ -0,0 +1,28 @@ +#! /bin/bash + +cd "$( dirname "${BASH_SOURCE[0]}" )" + +SUBJECT="/C=US/ST=California/L=Mountain View/O=OpenResty Inc" + +PASSWORD=${PASSWORD:-openresty} + +openssl genrsa -des3 -passout "pass:$PASSWORD" -out server.key 2048 +openssl rsa -passin "pass:$PASSWORD" -in server.key -out server.unsecure.key +openssl req -passin "pass:$PASSWORD" -new -subj "$SUBJECT/CN=server" -key server.key -out server.csr + + +openssl genrsa -des3 -passout "pass:$PASSWORD" -out client.key 2048 +openssl rsa -passin "pass:$PASSWORD" -in client.key -out client.unsecure.key +openssl req -passin "pass:$PASSWORD" -new -subj "$SUBJECT/CN=client" -key client.key -out client.csr + + +openssl req -passin "pass:$PASSWORD" -passout "pass:$PASSWORD" -new -x509 -subj "$SUBJET/CN=ca" -keyout ca.key -out ca.crt +openssl x509 -req -sha256 -days 30650 -passin "pass:$PASSWORD" -in client.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out client.crt +openssl x509 -req -sha256 -days 30650 -passin "pass:$PASSWORD" -in server.csr -CA ca.crt -CAkey ca.key -set_serial 2 -out server.crt + + +openssl pkcs12 -passin "pass:$PASSWORD" -passout "pass:$PASSWORD" -export -clcerts -in client.crt -inkey client.key -out client.p12 +openssl pkcs12 -passin "pass:$PASSWORD" -passout "pass:$PASSWORD" -export -in client.crt -inkey client.key -out client.pfx +openssl x509 -in client.crt -out client.cer +openssl x509 -in server.crt -out server.cer + diff --git a/t/cert/server.cer b/t/cert/server.cer new file mode 100644 index 0000000000..4e7c2fffe4 --- /dev/null +++ b/t/cert/server.cer @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICZTCCAc4CAQIwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UEAxMCY2EwIBcNMTcw +MTE2MDQwODI0WhgPMjEwMDEyMTcwNDA4MjRaMGMxCzAJBgNVBAYTAlVTMRMwEQYD +VQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRYwFAYDVQQK +Ew1PcGVuUmVzdHkgSW5jMQ8wDQYDVQQDEwZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQCzEP5GCRQAoPLebEfgPKLPByJ/Waf5cCGwDm4F+Qvp +cJ2HWixR8gvhAtAuAYboNZBPOGP2IApQ9df4xMvLYgi+MJ0mF40Fc9o0Oefg/JEc +CCtqHVt+qBOmu+SnJ4AjLBneN6yJwZAVaAk5Pwu6ujvSzr148EUWP8strUD8TPH0 +epOfhbC0O7SnGdJiSyIdnfWPC20eWV0ViZ6LoFC0SmnYhL1NQHOP/s1NaLeY63fC +qU2zZY5ea7tJdR8H5Tpx145p5d5pSl0lhKYxYqmfZ872fnWos3GMednNcQLwgEeI +4tAogDeYumxD3F6NAQcWfMb0ErwF3BIAqvVhCLdqnpDbAgMBAAEwDQYJKoZIhvcN +AQELBQADgYEATCR7Payhb9BSgTvlg/o6ajs7mmmm09ZohEE0LH4/4FJVOEr+TQOd +V6vcVOV6eXAFlzkSYawyEjaze0Ux+m2DC1Oyem9JcEuJM5dGuNAkzdU6XbwgjQdW +Ik1+boENjzb3ou1EuD/lpr0KPzIZMwSW5gR5wOJueQBVYqUhRNGrKX8= +-----END CERTIFICATE----- diff --git a/t/cert/server.crt b/t/cert/server.crt new file mode 100644 index 0000000000..4e7c2fffe4 --- /dev/null +++ b/t/cert/server.crt @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICZTCCAc4CAQIwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UEAxMCY2EwIBcNMTcw +MTE2MDQwODI0WhgPMjEwMDEyMTcwNDA4MjRaMGMxCzAJBgNVBAYTAlVTMRMwEQYD +VQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRYwFAYDVQQK +Ew1PcGVuUmVzdHkgSW5jMQ8wDQYDVQQDEwZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQCzEP5GCRQAoPLebEfgPKLPByJ/Waf5cCGwDm4F+Qvp +cJ2HWixR8gvhAtAuAYboNZBPOGP2IApQ9df4xMvLYgi+MJ0mF40Fc9o0Oefg/JEc +CCtqHVt+qBOmu+SnJ4AjLBneN6yJwZAVaAk5Pwu6ujvSzr148EUWP8strUD8TPH0 +epOfhbC0O7SnGdJiSyIdnfWPC20eWV0ViZ6LoFC0SmnYhL1NQHOP/s1NaLeY63fC +qU2zZY5ea7tJdR8H5Tpx145p5d5pSl0lhKYxYqmfZ872fnWos3GMednNcQLwgEeI +4tAogDeYumxD3F6NAQcWfMb0ErwF3BIAqvVhCLdqnpDbAgMBAAEwDQYJKoZIhvcN +AQELBQADgYEATCR7Payhb9BSgTvlg/o6ajs7mmmm09ZohEE0LH4/4FJVOEr+TQOd +V6vcVOV6eXAFlzkSYawyEjaze0Ux+m2DC1Oyem9JcEuJM5dGuNAkzdU6XbwgjQdW +Ik1+boENjzb3ou1EuD/lpr0KPzIZMwSW5gR5wOJueQBVYqUhRNGrKX8= +-----END CERTIFICATE----- diff --git a/t/cert/server.csr b/t/cert/server.csr new file mode 100644 index 0000000000..7d2c7ffc20 --- /dev/null +++ b/t/cert/server.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICqDCCAZACAQAwYzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx +FjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFjAUBgNVBAoTDU9wZW5SZXN0eSBJbmMx +DzANBgNVBAMTBnNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ALMQ/kYJFACg8t5sR+A8os8HIn9Zp/lwIbAObgX5C+lwnYdaLFHyC+EC0C4Bhug1 +kE84Y/YgClD11/jEy8tiCL4wnSYXjQVz2jQ55+D8kRwIK2odW36oE6a75KcngCMs +Gd43rInBkBVoCTk/C7q6O9LOvXjwRRY/yy2tQPxM8fR6k5+FsLQ7tKcZ0mJLIh2d +9Y8LbR5ZXRWJnougULRKadiEvU1Ac4/+zU1ot5jrd8KpTbNljl5ru0l1HwflOnHX +jmnl3mlKXSWEpjFiqZ9nzvZ+daizcYx52c1xAvCAR4ji0CiAN5i6bEPcXo0BBxZ8 +xvQSvAXcEgCq9WEIt2qekNsCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQAvQ26G +icnm8cHelRwzrzwUkpjU15KjsRcTlZ7oJa+nhGvC56iuEs8UfaT1KY/g5pnxs6LJ +L9w7nohIPgMXkPPyAe5Kvm7cTjUAC7Sf82SIBHhiXMoeiIJPc0tTGgUIj0oZllEe +dkXcUz8UQgZ7wrF124U+pg8yJLgakKK9gvwZNhxy9svaQ9U1orBHTwOECoBHn18M +GV/+kq8GHfKVMTLojavCl6I3tX1oIpBWTFaZ6yC8XcrzMUha8VkjQwSdBUg0oJBG +2voi4vrGSGSiFiESW4d6rpY88T4xM43B7vQjq2/ZmDjbAlIUwXm9n8ZamsNhE78c +wqaJGD5/cskN/9eN +-----END CERTIFICATE REQUEST----- diff --git a/t/cert/server.key b/t/cert/server.key new file mode 100644 index 0000000000..0bca67f549 --- /dev/null +++ b/t/cert/server.key @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,76955DD55F0E76AE + +4dS6m1/EMqJVWCNBtxl4oCci+FRFlRr4BAcF0mqYaeUadVmmak19XD5yvCaXDO5I +Cr8Umj6AiXRl2RMxmHVYm5q67ZtkgL3tUWQpxkS4bwRPRfeDMS9bUTdvYlhvprUi +3UKtu4m5zIVR5j73hQSkydBPLolAlev56gqZS0MeLm20WUzR4RC+HL0sffnuBZgM +H1syMb5pOyB66tA6+RPnrKb9TH9ZSEp0mILxpNDO5VjQgfzZ41Fsi7voV5g/I+rt +W2KjV3V/lh0yaSTpwL/K0FrXh28pv3jtlsVHBXCxvmLl3XHgyVn3o+Hz4c3iQkgC +whbvmgWTLa4WgbwUKW8wOfWQEg0h6fkEIbI6AHCKDtRpB9RrIsG+5KdbcKEgteB8 +ndr0z/ppF+JBTsjpXXATWM9dBNTLJPeYlJMW8FLIl4I18pHgn7wgoEXLyNLQSJzs +H48nc5x+JRiHyKqCzRSe0k+tM1VO5n/h0wGieNuKKzOzE5SvcqN5lic7OqI5OLxD +AwproTT0iwwfbvg0tXphSD15eQ7VMAjdlx+80DtBked2/RDuOazC+mJXafM8QuUD +o1oDXJVmu0maDWq/601xUCNcoxI5gjXBkJBazEIiWkQzMGpUUkhQ+BftbUMbiJgE +nZSN7oNGWjlcYKRJoV7WYZ0RtmX3k7k7Vr69uzgsjDb+VjW4bcfSl4BxtXDDLpku +t4IY4GuranLLJo0KBkajQ+TmkCZRlkerMfyaWxIFBhVW6NqZqGEjWBHlfuW1jHfW +H0E4BHzbbNpFgWBktB4l5i0bsJuJzEa/T4WqnR1lC8RTtr94625uhqRCZv3OIWsO +D8Y4q1+/jQ5Bigd+GHAEgKfFSQwemygEY1pl4QfnTNg6Pixac83qwvdlh6Vlau8J +DTcD1xwVT2ks98/6U5oG9w9Na9RGVC9+0hIIL4wUnAS2SBc6oGOEnkGllFQ3aO8V +uoFwkClk4Ji7dcO6a6si2Eu33MGtUei9N4OoscZons6ppDGJjiEAL2XO/WuuVmpe +S6IB+Ytc1KanP4shSWdRTl69DCMCrEi2HImqCLKw30vH3mtWYS6lcxeY0vziuqsU +/eXvmgVnCIBXAcA3ndtCYVzGYDBcevavGve3qxdXPVEJDTyyrbpT78xejgSlQ3Hj +O71GYlmLWI4scLMxWpmwwrp5iBOBYYRss5J4MMZsWvAr1jhvNcnq1i0ALxw/ehxw +GY2GMDtWjNsjc4cmRXEhpM/CMiQie7E0WsMbG+gnVDGN/NFUSUaolkFlshA+FDwQ +AqlBZMkE3hJSG+8Gt4ObT8LsysmaT7hJqbScWZa7B1Hpkh+NKTOBLvSR4771lM15 +RcURBJtc7YxXuf2Cjbog9K02HOkyAlwnuWGkxjWMfPrEOKqAOSoTPUzEMBYD2OW1 +TNZUMDCmwPVk2AIvSZsb0jvTxwIv+tjKHZYYJ3tgm76bEMzXytkwnRZW0N1sTt34 +DWxp+VsJbJuvxtXiVNA3ZiH7E1FVhBn03kbAf2OZbvfY94ZCyGvZKeczKKfHJIXr +HA25wW7EiZbNDzVYHZc5DjD6tXb9lfOtE0THgQ8EZ8z06YgFbKSn7VPoBdzyTxgu +-----END RSA PRIVATE KEY----- diff --git a/t/cert/server.unsecure.key b/t/cert/server.unsecure.key new file mode 100644 index 0000000000..35aa96c02b --- /dev/null +++ b/t/cert/server.unsecure.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAsxD+RgkUAKDy3mxH4Dyizwcif1mn+XAhsA5uBfkL6XCdh1os +UfIL4QLQLgGG6DWQTzhj9iAKUPXX+MTLy2IIvjCdJheNBXPaNDnn4PyRHAgrah1b +fqgTprvkpyeAIywZ3jesicGQFWgJOT8Luro70s69ePBFFj/LLa1A/Ezx9HqTn4Ww +tDu0pxnSYksiHZ31jwttHlldFYmei6BQtEpp2IS9TUBzj/7NTWi3mOt3wqlNs2WO +Xmu7SXUfB+U6cdeOaeXeaUpdJYSmMWKpn2fO9n51qLNxjHnZzXEC8IBHiOLQKIA3 +mLpsQ9xejQEHFnzG9BK8BdwSAKr1YQi3ap6Q2wIDAQABAoIBAQCjpTML5D4AeRab +yM9DEYcktnuDcPc+0Ygn8ngAQ2Lsevur9++rEA5lG4IPmVumGVWB4KISC6QB6zrt +4UPx4ezli14CsuExC3ht5EGSbp9aw+iROLUmIgqbhPlo/YNwIVyepbiryFaaCZLs +Wz6n7oy/kiq8PLCWrcRMQRqzuMoiRt6FH//c2o9kWupL7GkdnuYGLKCr0g2YEWDq +e8LTWG9KQSZj1enTlnuIBuvS2LHJOolsSxRvBfqoiZwWH0qOmEgZeDfoAEdpdfac +QpUCLwyZLw3B78FAuAcQ0CdVTCvHU0y887j5IZkulKF05IHyA+gH8ArsE29egT0A +I30mOI7hAoGBAOnrf8vWQZTbkepcYu/7QvmfHjHXT334e3v6p9Vy7+C2RDfsFByH +7zqwTA4/rBx5zb+UBEoZfReKXpZXl5HXS9Aqs0wjFYO4x3Vrk9vWaPsCg1nQ78ln +UdWeEzo2G34HhaU8+FcFN4FkM3EaCzQFX2ackH9p05QjY8axPtqR35/xAoGBAMP3 +/8TdujJmwTEdNjFhvSCqdmGexy/DuQIjShsy4CJpQBhYyA7bpB7vu2aUuNVc5xWc +Frc3n+MgroVN+dqfNbYpNZDo6SZfIvpnHDFnGMuQ3sMNlX1KAg6rqE9afCvjh/y6 +CoRWcksd+KSTEIkDNyQ8yRrlzk3JlFxtsocyB0mLAoGAMFtKs+y66fbqFzS6Dzo2 +AjxulYcZG8V+YYbTo0B7bky/lX/sOGmxfsRrNJbdEZXsfqouqNLUFUW5gALjhnan +aYUqQ5cNH4nXUeLHUi7kzN8cIDkdGNmPBUYEW4hL7qXHbv1HqVWev9Ti/YKQxlRG +AIRlKrHJ11npim2hvLVjMUECgYEAnarSZZnfTN3PYayXBXQVrkp3pGMS7yMRnt61 +qNxt6EG2B+CmVQ3yJdHLfOT7MO7mHUTQIejnAt4wi6AI/hRKKp1NM6Gws+anRb/f +tv+zu1R7ZYNwWrVIonUJnY63iLgvmO41t/O1USpz+jU4gIPNwaIGS1XJflxIuXSo +xo1Bv7ECgYBEYv3Vkgo2PENzuDwm3ZYSPhU284azxOraLV7yNXmcwHfqhVdLFF6m +o078kSOzOgpGCJnrFflDWYcfevGTgzJEpmeOQkSFOTBQCV7juR8LY3dQtj8uhQhm +dfBNxVBwBUpAuxAy6KIiqG3u01OORPC51kiA0+Qm33F22Z8WliIO0A== +-----END RSA PRIVATE KEY----- From adfcb874663735f74fb8d25f7cab42ee7e41f9cd Mon Sep 17 00:00:00 2001 From: detailyang Date: Mon, 16 Jan 2017 15:10:52 +0800 Subject: [PATCH 2/5] style: add empty line for test --- t/129-ssl-socket.t | 1 + 1 file changed, 1 insertion(+) diff --git a/t/129-ssl-socket.t b/t/129-ssl-socket.t index 6581c693ef..a8e3030b40 100644 --- a/t/129-ssl-socket.t +++ b/t/129-ssl-socket.t @@ -2747,6 +2747,7 @@ failed to set ssl certificate: closed --- timeout: 5 + === TEST 35: setsslcert should return error on sslhandshaked connection --- http_config eval: $::sslhttpconfig --- config From 34bfc062509f3f134b60793eab33da275e57e2e6 Mon Sep 17 00:00:00 2001 From: detailyang Date: Tue, 17 Jan 2017 14:07:30 +0800 Subject: [PATCH 3/5] typo: ngx_http_lua_ssl_password_callback --- src/ngx_http_lua_ssl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/ngx_http_lua_ssl.c b/src/ngx_http_lua_ssl.c index 5d56c3d1fb..f464b88c29 100644 --- a/src/ngx_http_lua_ssl.c +++ b/src/ngx_http_lua_ssl.c @@ -41,7 +41,8 @@ ngx_http_lua_ssl_password_callback(char *buf, int size, int rwflag, if (rwflag) { ngx_log_error(NGX_LOG_ALERT, ngx_cycle->log, 0, - "ngx_ssl_password_callback() is called for encryption"); + "ngx_http_lua_ssl_password_callback() " + "is called for encryption"); return 0; } From e233ba342cc667868eea3d1e8a16ced341cdce5a Mon Sep 17 00:00:00 2001 From: detailyang Date: Tue, 17 Jan 2017 14:07:49 +0800 Subject: [PATCH 4/5] style: add empty line before else --- src/ngx_http_lua_ssl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/ngx_http_lua_ssl.c b/src/ngx_http_lua_ssl.c index f464b88c29..5429cf14e8 100644 --- a/src/ngx_http_lua_ssl.c +++ b/src/ngx_http_lua_ssl.c @@ -53,6 +53,7 @@ ngx_http_lua_ssl_password_callback(char *buf, int size, int rwflag, if (pwd->len > (size_t) size) { ngx_log_error(NGX_LOG_ERR, ngx_cycle->log, 0, "password is truncated to %d bytes", size); + } else { size = pwd->len; } From af5f8e06784304e258c7fdd4aa419a4d2a86f191 Mon Sep 17 00:00:00 2001 From: detailyang Date: Wed, 18 Jan 2017 11:19:00 +0800 Subject: [PATCH 5/5] refactor: remove SSL_CTX_set_default_passwd_cb --- src/ngx_http_lua_ssl.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/ngx_http_lua_ssl.c b/src/ngx_http_lua_ssl.c index 5429cf14e8..998a71193d 100644 --- a/src/ngx_http_lua_ssl.c +++ b/src/ngx_http_lua_ssl.c @@ -53,7 +53,7 @@ ngx_http_lua_ssl_password_callback(char *buf, int size, int rwflag, if (pwd->len > (size_t) size) { ngx_log_error(NGX_LOG_ERR, ngx_cycle->log, 0, "password is truncated to %d bytes", size); - + } else { size = pwd->len; } @@ -138,8 +138,6 @@ ngx_http_lua_ssl_certificate(ngx_ssl_t *ssl, ngx_str_t *cert, ERR_clear_error(); } - SSL_CTX_set_default_passwd_cb(ssl->ctx, NULL); - return rc; }